Authorization
Download as PPTX, PDF0 likes854 views
The document defines authorization as specifying access rights and privileges to resources related to information security. It discusses how authorization works by defining access policies for users or systems to access specific resources. The document also differentiates between authentication, which verifies a user's identity, and authorization, which verifies a user's access rights. It then provides an overview of how the OAuth protocol allows websites to authorize access to user accounts on other sites without sharing login credentials. Credit card authorization is described as approval from the card issuer that a customer has sufficient funds for a transaction, placing a hold on those funds.
Authorization
- 2. DEFINITION ◦ Authorization is the function of specifying access rights/privileges to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define an access policy. ◦ For example, human resources staff are normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer Software and other Hardware on the computer.
- 3. DIFFERENCE BETWEEN AUTHENTICATION AND AUTHORIZATION ◦ Both Authentication and Authorization area unit utilized in respect of knowledge security that permits the safety on an automatic data system. Each area unit terribly crucial topics usually related to the online as key items of its service infrastructure. However, each the terms area unit terribly completely different with altogether different ideas. whereas it’s true that they’re usually employed in an equivalent context with an equivalent tool, they’re utterly distinct from one another. ◦ In authentication process, the identity of users are checked for providing the access to the system. While in authorization process, person’s or user’s authorities are checked for accessing the resources. Authentication is done before the authorization process, whereas authorization process is done after the authentication process.
- 5. OAUTH PROTOCOL ◦ OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization. ◦ Created and strongly supported from the start by Twitter, Google and other companies, OAuth was released as an open standard in 2010 as RFC 5849, and quickly became widely adopted. Over the next two years, it underwent substantial revision, and version 2.0 of OAuth, was released in 2012 as RFC 6749. Even though version 2.0 was widely criticized for multiple reasons covered below, it gained even more popularity. Today, you can add Amazon, Facebook, Instagram, LinkedIn, Microsoft, Netflix, Paypal and a list of other internet who’s-whos as adopters.
- 6. ◦ The simplest example of OAuth is when you go to log onto a website and it offers one or more opportunities to log on using another website’s/service’s logon. You then click on the button linked to the other website, the other website authenticates you, and the website you were originally connecting to logs you on itself afterward using permission gained from the second website.
- 7. HOW OAUTH WORKS? ◦ Let’s assume a user has already signed into one website or service (OAuth only works using HTTPS). The user then initiates a feature/transaction that needs to access another unrelated site or service. The following happens (greatly simplified): ◦ The first website connects to the second website on behalf of the user, using OAuth, providing the user’s verified identity. ◦ The second site generates a one-time token and a one-time secret unique to the transaction and parties involved. ◦ The first site gives this token and secret to the initiating user’s client software. ◦ The client’s software presents the request token and secret to their authorization provider (which may or may not be the second site). ◦ If not already authenticated to the authorization provider, the client may be asked to authenticate. After authentication, the client is asked to approve the authorization transaction to the second website.
- 8. ◦ The user approves (or their software silently approves) a particular transaction type at the first website. ◦ The user is given an approved access token (notice it’s no longer a request token). ◦ The user gives the approved access token to the first website. ◦ The first website gives the access token to the second website as proof of authentication on behalf of the user. ◦ The second website lets the first website access their site on behalf of the user. ◦ The user sees a successfully completed transaction occurring. ◦ OAuth is not the first authentication/authorization system to work this way on behalf of the end-user. In fact, many authentication systems, notably Kerberos, work similarly. What is special about OAuth is its ability to work across the web and its wide adoption. It succeeded with adoption rates where previous attempts failed (for various reasons).
- 9. Authorize your Mac or PC When you authorize your Mac or PC, you give it permission to access your music, movies, and other content. You can authorize up to 5 computers, which means that you can play your content on 5 different computers. You can't authorize a computer from another computer or from your iPhone, iPad, or iPod touch. Before you sell or give away your computer or send it in for service, deauthorize your computer to remove its access to protected purchases.
- 10. Credit card authorization Credit card authorization is an approval from a card issuer, usually through a credit card processor, that the customer has sufficient funds to cover the cost of the transaction. It can also refer to the procedure of acquiring that authorization from the issuer.
- 11. ◦ Authorization is the first step when purchasing goods or services. The merchant sends a request to their acquirer, also called a credit card processor — PayPal, for example. The acquirer then submits a request to the credit card issuer. ◦ The issuer reviews the customer's account and decides if enough funds exist to cover the cost of the sale. If they do, an authorization hold is made which reduces the customer's credit line for the amount of the sale. An authorization code is sent to the acquire, who responds to the merchant with a code for approval or error code. When an error code is issued, the transaction is incomplete.
- 12. ◦ In online payments, the actual money transaction is handled by a process called "Capturing." Authorization is the acknowledgement of available funds, and it places a hold on those funds. In many cases with online acquirers, the capturing phase is usually accomplished automatically after the authorization.
- 13. ◦ Authorizations can fail for technical or financial reasons. Buyers are notified of failures automatically by most online processors. The cause of an authorization failure is identified by its error code. Error codes will differ based on acquirer. The most important point is that a failed authorization means a sale can not be completed. The seller should not ship the product or complete the transaction without an authorization code. ◦ If the error code indicates a technical problem then it is usually the seller's job to fix the issue. In rare cases, the acquirer will be having technical issues and the seller will have to wait until these are fixed. In most cases, there is a problem with the information being supplied to the processor. This can be an issue with the configuration or the online submission, such as an incorrectly typed or missing value. In this case, the seller should fix the problem as soon as possible. Error codes indicating financial reasons usually mean there is a problem with the buyer's account.